Guide to Computer Forensics
and Investigations
Fifth Edition

Chapter 1
Understanding The Digital Forensics
Profession and Investigations


Objectives
• Describe the field of digital forensics
• Explain how to prepare computer investigations
and summarize the difference between publicsector and private-sector investigations
• Explain the importance of maintaining professional
conduct
• Describe how to prepare a digital forensics
investigation by taking a systematic approach

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

2


Objectives
• Describe procedures for private-sector digital
investigations
• Explain requirements for data recovery
workstations and software
• Summarize how to conduct an investigation,

including critiquing a case

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

3


An Overview of Digital Forensics
• Digital forensics
– The application of computer science and
investigative procedures for a legal purpose
involving the analysis of digital evidence after proper
search authority, chain of custody, validation with
mathematics, use of validated tools, repeatability,
reporting, and possible expert presentation.
– In October 2012, an ISO standard for digital
forensics was ratified - ISO 27037 Information
technology - Security techniques
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

4


An Overview of Digital Forensics
• The Federal Rules of Evidence (FRE) was created
to ensure consistency in federal proceedings

– Signed into law in 1973
– Many states’ rules map to the FRE

• FBI Computer Analysis and Response Team
(CART) was formed in 1984 to handle cases
involving digital evidence
• By late 1990s, CART teamed up with Department
of Defense Computer Forensics Laboratory (DCFL)
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

5


An Overview of Digital Forensics
• The Fourth Amendment to the U.S. Constitution
protects everyone’s right to be secure from search
and seizure
– Separate search warrants might not be necessary
for digital evidence

• Every U.S. jurisdiction has case law related to the
admissibility of evidence recovered from computers
and other digital devices

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015


6


Digital Forensics and Other Related
Disciplines
• Investigating digital devices includes:
– Collecting data securely
– Examining suspect data to determine details such as
origin and content
– Presenting digital information to courts
– Applying laws to digital device practices

• Digital forensics is different from data recovery
– Which involves retrieving information that was
deleted by mistake or lost during a power surge or
server crash
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

7


Digital Forensics and Other Related
Disciplines
• Forensics investigators often work as part of a
team, known as the investigations triad

Guide to Computer Forensics and Investigations Fifth Edition


© Cengage Learning 2015

8


Digital Forensics and Other Related
Disciplines
• Vulnerability/threat assessment and risk
management
– Tests and verifies the integrity of stand-along workstations
and network servers

• Network intrusion detection and incident response
– Detects intruder attacks by using automated tools and
monitoring network firewall logs

• Digital investigations
– Manages investigations and conducts forensics analysis of
systems suspected of containing evidence
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

9


A Brief History of Digital Forensics
• By the early 1990s, the International Association of
Computer Investigative Specialists (IACIS)
introduced training on software for digital forensics

• IRS created search-warrant programs
• ASR Data created Expert Witness for Macintosh
• ILook is currently maintained by the IRS Criminal
Investigation Division
• AccessData Forensic Toolkit (FTK) is a popular
commercial product
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

10


Understanding Case Law
• Existing laws can’t keep up with the rate of
technological change
• When statutes don’t exist, case law is used
– Allows legal counsel to apply previous similar cases
to current one in an effort to address ambiguity in
laws

• Examiners must be familiar with recent court
rulings on search and seizure in the electronic
environment
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

11



Developing Digital Forensics
Resources
• To supplement your knowledge:
– Develop and maintain contact with computing,
network, and investigative professionals
– Join computer user groups in both the pubic and
private sectors
• Example: Computer Technology Investigators
Network (CTIN) meets to discuss problems with
digital forensics examiners encounter

– Consult outside experts

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

12


Preparing for Digital Investigations
• Digital
investigations
fall into two
categories:
– Public-sector
investigations
– Private-sector
investigations


Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

13


Preparing for Digital Investigations
• Public-sector investigations involve government
agencies responsible for criminal investigations and
prosecution
• Fourth Amendment to the U.S. Constitution
– Restrict government search and seizure

• The Department of Justice (DOJ) updates
information on computer search and seizure
regularly
• Private-sector investigations focus more on policy
violations
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

14


Understanding Law Enforcement
Agency Investigations
• When conducting public-sector investigations, you

must understand laws on computer-related crimes
including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case

• The Computer Fraud and Abuse Act was passed in
1986
– Specific state laws were generally developed later
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

15


Following Legal Processes
• A criminal investigation usually begins when
someone finds evidence of or witnesses a crime
– Witness or victim makes an allegation to the police

• Police interview the complainant and writes a
report about the crime
• Report is processed and management decides to
start an investigation or log the information in a
police blotter
– Blotter is a historical database of previous crimes
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015


16


Following Legal Processes
• Digital Evidence First Responder (DEFR)
– Arrives on an incident scene, assesses the situation,
and takes precautions to acquire and preserve
evidence

• Digital Evidence Specialist (DES)
– Has the skill to analyze the data and determine when
another specialist should be called in to assist

• Affidavit - a sworn statement of support of facts
about or evidence of a crime
– Must include exhibits that support the allegation
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

17


Understanding Private-Sector
Investigations
• Private-sector investigations involve private
companies and lawyers who address company
policy violations and litigation disputes
– Example: wrongful termination


• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
– E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

18


Understanding Private-Sector
Investigations
• Businesses can reduce the risk of litigation by
publishing and maintaining policies that employees
find easy to read and follow
• Most important policies define rules for using the
company’s computers and networks
– Known as an “Acceptable use policy”

• Line of authority - states who has the legal right to
initiate an investigation, who can take possession
of evidence, and who can have access to evidence
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

19



Understanding Private-Sector
Investigations
• Business can avoid litigation by displaying a
warning banner on computer screens
– Informs end users that the organization reserves the
right to inspect computer systems and network traffic
at will

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

20


Understanding Private-Sector
Investigations
• Sample text that can be used in internal warning
banners:
– Use of this system and network is for official
business only
– Systems and networks are subject to monitoring at
any time by the owner
– Using this system implies consent to monitoring by
the owner
– Unauthorized or illegal users of this system or
network will be subject to discipline or prosecution
Guide to Computer Forensics and Investigations Fifth Edition


© Cengage Learning 2015

21


Understanding Private-Sector
Investigations
• Businesses are advised to specify an authorized
requester who has the power to initiate
investigations
• Examples of groups with authority
–
–
–
–
–

Corporate security investigations
Corporate ethics office
Corporate equal employment opportunity office
Internal auditing
The general counsel or legal department

Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

22



Understanding Private-Sector
Investigations
• During private investigations, you search for
evidence to support allegations of violations of a
company’s rules or an attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse

• A private-sector investigator’s job is to minimize
risk to the company
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

23


Understanding Private-Sector
Investigations
• The distinction between personal and company
computer property can be difficult with cell phones,
smartphones, personal notebooks, and tablet
computers
• Bring your own device (BYOD) environment
– Some companies state that if you connect a
personal device to the business network, it falls
under the same rules as company property


Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

24


Maintaining Professional Conduct
• Professional conduct - includes ethics, morals,
and standards of behavior
• An investigator must exhibit the highest level of
professional behavior at all times
– Maintain objectivity
– Maintain credibility by maintaining confidentiality

• Investigators should also attend training to stay
current with the latest technical changes in
computer hardware and software, networking, and
forensic tools
Guide to Computer Forensics and Investigations Fifth Edition

© Cengage Learning 2015

25